E-Discovery: The stormy nature of the cloud

There is little argument that cloud computing and software-as-a-service (SaaS) platforms have created a paradigm shift in enterprise technology and IT as a whole. Companies of all sizes—public and private—seeking to reduce storage costs and improve overall efficiency and integration with partners are increasingly turning to the cloud to house information and run essential business functions remotely.

How will cloud-based applications impact corporate legal departments and their outside counsel in the future?

Historically speaking, SaaS-based solutions have driven innovation in the e-discovery market. Since the introduction of SaaS-based document review tools in the 1990s, software and service providers have been challenged to expand the capabilities of solutions they provide to users with even more control along all phases of the electronic discovery reference model (EDRM). Today, software and service providers are introducing tools to help users manage, preserve, collect, process, review, analyze and produce documents on a single, do-it-yourself platform harnessing the power of SaaS-based technology dominated by the cloud.

With the movement of email, user files and workgroup data to cloud computing, new challenges for e-discovery have emerged. The sheer volume of data and the expense of storing it are the primary drivers behind the move to cloud computing. These drivers are also the primary reason preserving and collecting data from the cloud remains a challenge for organizations. Organizations have been stressed with preserving and collecting data behind their own firewalls, so it is understandable that moving this data outside the organization creates additional e-discovery challenges. Data is gradually added to the cloud over time, file by file, resulting in gigabytes, terabytes and even petabytes of information being stored on remote servers which are partially under the control the organizations storing their data in the cloud. Unfortunately, the e-discovery preservation/collection process doesn’t get this same benefit of unlimited time.

Outsourcing to SaaS-based technology in the cloud typically begins with a directive in the IT department to cut software license fees, storage costs and management overhead, but rarely includes the input of legal or consideration of legal e-discovery. This is when the volume of data being stored in the cloud becomes an extreme burden. Downloading hundreds upon hundreds of gigabytes of data from remote servers can be very time consuming. Depending on the litigation, you may have to perform multiple collections to ensure a complete collection due to timing issues.

The ideal solution would be to place select data on hold and only collect the data being held. The next best solution would be to conservatively hold broader categories of data and only collect data imminently needed for e-discovery. However, placing a legal hold on data stored in the cloud is challenging as there are no turn-key solutions to implement and manage this process. Some providers are working on integrating these features into their hosted solutions for email, but the execution and management is extremely cumbersome and an all or nothing solution implemented on an entire mailbox. Additionally, collecting data from the cloud can present new technology challenges. The IT department that used to be able to run scripts or other backend processes to collect data may find no such options are available with data stored in the cloud. Many times this process is developed during the heat of litigation, which increases the likelihood of mistakes and potential sanctions or adverse inference instructions.

To address many of the issues discussed above, the legal department should open a line of communication with the IT department and ensure the following questions are addressed:

What level of control or access to the organization’s data is allowed by the cloud services provider?

Does the service level agreement with the cloud services provider include language regarding extraction of data for e-discovery?

Does the cloud services provider have documentation on their data preservation and collection processes?

Has testing been performed on the collection process to validate the integrity of the data and timing?

Does the cloud services provider keep and track appropriate chain-of-custody?

Is there a defensible process for preserving and collecting data from the cloud services provider?

What is the process for collecting data when the volume is too great to download from the cloud?

For international organizations, can data be hosted in select global locations to ensure compliance with local, national and international data privacy laws?

A successful cloud strategy is one that takes into account the potential obstacles for preserving and collecting information for the purposes of e-discovery. Knowing where the service provider’s provisions end and where your organization’s start is vital to ensuring a comprehensive, efficient and effective ESI request response.